Named volume for workflows and added init for mountpoint for runtime#1945
Conversation
|
@TreeSloths is attempting to deploy a commit to the OpenStatus Team on Vercel. A member of the Team first needs to authorize it. |
|
@thibaultleouay @mxkaske Have you had the chance to review this PR? |
|
@TreeSloths sorry weekend hit me hard, doing it now |
|
@claude review this |
|
Claude Code is working… I'll analyze this and get back to you. |
There was a problem hiding this comment.
Pull request overview
This PR fixes a first-run permission error (issue #1940) where the openstatus-workflows container fails because its ./data:/app/data bind mount creates the directory as root, but the container runs as USER 1000:1000. The fix applies two complementary changes: switching from bind mounts to named Docker volumes, and pre-creating the /app/data directory with correct ownership in the Dockerfile.
Changes:
- Replaced the
./data:/app/databind mount with a named volumeworkflows-datain bothdocker-compose.yamlanddocker-compose.github-packages.yaml - Added
mkdir -p /app/data && chown -R 1000:1000 /app/datato the root run command indofigen.yml, which propagates to the generatedDockerfileanddofigen.lock
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| docker-compose.yaml | Added workflows-data named volume definition and updated workflows service to use it |
| docker-compose.github-packages.yaml | Same named volume change as above for the GitHub packages compose variant |
| apps/workflows/dofigen.yml | Added mkdir -p /app/data && chown -R 1000:1000 /app/data to the root run step |
| apps/workflows/Dockerfile | Auto-generated Dockerfile reflecting the dofigen.yml change |
| apps/workflows/dofigen.lock | Auto-generated lock file reflecting the dofigen.yml change and updated hash |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Resolves #1940
Changed from bind volume to named volume which solved the host side directory permissions conflict,
This however exposed a second issue, which is another permission error as before. The workflows image does not create
/app/data/before switching toUSER 1000:1000, it only setsworkdir: /app/, copies app files, installs packages, then runs as1000:1000. The image does not initialize the mountpoint for non-root runtime. This was solved by adding the following commands to the dofigen file:Initializing the directory before dropping privileges.
Test
After building the container locally and running the compose file, the compose file ran without a single hiccup for the first time compared to before.
The trade off however is that with
/data/no longer being a binded mount, it is not "as easy" to see where the directory actually exists on the host, however usingdocker inspectreveals the path:So e.g. in my case:
"/var/lib/docker/volumes/openstatus-workflows-data/_data"